Hello All ,
I am stuck on a NAT issue and I would appreciate your help .
I was given a TV Box and a wireguard client setup so traffic from the Box will go through the wireguard .
I had set up the wireguard on my mikrotik (Hap ax lite v7.18.2 ) and I am able to ping 8.8.8.8 /1.1.1.1 through wireguard's ip 10.10.0.20/24 . Probably on the server side they allow only this IP ( 10.10.0.20) since I had changed it to .25 or different subnet and couldn't ping anything .
So now , i have the TV box connected on lan side (ether2) with network address 192.168.94.10/24 ( gw ip 192.168.94.1) . I had added both wireguard and tv box in the same VRF , added routing rules for network 192.168.94.0/24 to look only in table vpn_vrf and static route 0.0.0.0/0 to go through wireguard
When i ping 1.1.1.1 with src address 192.168.94.1 and vrf=vpn_vrf , I can see the packages (with the sniffer) reaching wireguard interface but since the source ip is 192.168.94.1 i suspect that is dropped from the server side . So I need to change the source IP to 10.10.0.20 to packages from network 192.168.94.0/24
Tried with varius nat rules but couldn't manage it to work .
**Mikrotik is running default config
Re: Help with NAT
Would need to see MT config
/export file=anynameyouwish (minus router serial number, any public WANIP information, vpn keys )
The wireguard info you were given to connect to the remote wireguard site.
( minus endpoint address, keys )
Diagram of how all the pieces are connected would be useful.
/export file=anynameyouwish (minus router serial number, any public WANIP information, vpn keys )
The wireguard info you were given to connect to the remote wireguard site.
( minus endpoint address, keys )
Diagram of how all the pieces are connected would be useful.
-
-
Johnathan123
just joined
- Posts: 3
- Joined:
Re: Help with NAT
I apologize for the messed up configuration , i use it as lab most of the times but need to clear a lot of things .
So the scenario is :
ISP router < => managed switch <=> vlan XXX ,vlan X <=> mikrotik <=> wireguard
on a port of the managed switch vlan XXX is configured for TV Box to receive IP from Mikrotik's dhcp .
Mikrotik will route the traffic from vlan XXX network through the Box_VPN wireguard and the rest of the network will work on vlanX .
I used this set up with NordVPN and surfshark and worked fine .
I am testing now directly from a port without the Vlan .
I had created a VRF for this VPN ( Box_VRF)
The issue now is that with Box_VPN that provided to me ,tunnel established , I can ping to internet from wireguard interface but when i am trying to ping from the lan interface (ether2 for example) it is not pingable and probably because the VPN provider allow only traffic from IP 10.10.0.20 so when I ping from range 192.168.94.0/24 traffic goes through Box_VPN but I can not receive a reply back.
Through sniffer I can see that icmp packets pass by Box_VPN with src address 192.168.94.1
So the scenario is :
ISP router < => managed switch <=> vlan XXX ,vlan X <=> mikrotik <=> wireguard
on a port of the managed switch vlan XXX is configured for TV Box to receive IP from Mikrotik's dhcp .
Mikrotik will route the traffic from vlan XXX network through the Box_VPN wireguard and the rest of the network will work on vlanX .
I used this set up with NordVPN and surfshark and worked fine .
I am testing now directly from a port without the Vlan .
I had created a VRF for this VPN ( Box_VRF)
The issue now is that with Box_VPN that provided to me ,tunnel established , I can ping to internet from wireguard interface but when i am trying to ping from the lan interface (ether2 for example) it is not pingable and probably because the VPN provider allow only traffic from IP 10.10.0.20 so when I ping from range 192.168.94.0/24 traffic goes through Box_VPN but I can not receive a reply back.
Through sniffer I can see that icmp packets pass by Box_VPN with src address 192.168.94.1
You do not have the required permissions to view the files attached to this post.
Re: Help with NAT
Yeah much too busy for me to look at in any detail and wont bother until cleaned up.
I did note that this is wrong.
add allowed-address=0.0.0.0/0 client-address=10.194.91.2/32 client-endpoint=xx.xx.xx.xx client-keepalive=10s \
client-listen-port=13834 interface=wireguard_1 name= public-key=""
add allowed-address=0.0.0.0/0 client-address=10.194.91.3/32 comment=" iPhone " interface=wireguard_1 name= public-key=\
""
add allowed-address=0.0.0.0/0 client-address=10.194.93.1/32 endpoint-address=xx.xx.xx.xx endpoint-port=13833 interface=wireguard1 \
name= persistent-keepalive=10s public-key=""
The third wireguard interface name does not match the two others........
So the first two are noise????
/interface wireguard
add disabled=yes listen-port=51822 mtu=1420 name=Box_VPN
add listen-port=13833 mtu=1420 name=wireguard1
add listen-port=51821 mtu=1420 name=Nordlynx
add listen-port=51820 mtu=1420 name=Surfshark_VPN
add comment=back-to-home-vpn listen-port=11429 mtu=1420 name=back-to-home-vpn
add listen-port=13834 mtu=1420 name=wireguard_2
I did note that this is wrong.
add allowed-address=0.0.0.0/0 client-address=10.194.91.2/32 client-endpoint=xx.xx.xx.xx client-keepalive=10s \
client-listen-port=13834 interface=wireguard_1 name= public-key=""
add allowed-address=0.0.0.0/0 client-address=10.194.91.3/32 comment=" iPhone " interface=wireguard_1 name= public-key=\
""
add allowed-address=0.0.0.0/0 client-address=10.194.93.1/32 endpoint-address=xx.xx.xx.xx endpoint-port=13833 interface=wireguard1 \
name= persistent-keepalive=10s public-key=""
The third wireguard interface name does not match the two others........
So the first two are noise????
/interface wireguard
add disabled=yes listen-port=51822 mtu=1420 name=Box_VPN
add listen-port=13833 mtu=1420 name=wireguard1
add listen-port=51821 mtu=1420 name=Nordlynx
add listen-port=51820 mtu=1420 name=Surfshark_VPN
add comment=back-to-home-vpn listen-port=11429 mtu=1420 name=back-to-home-vpn
add listen-port=13834 mtu=1420 name=wireguard_2
Re: Help with NAT
One thing I checked was:
You want the wireguard interface to be a member of the WAN list, (and very likely don't want it to be a member of the LAN list)
You want the wireguard interface to be a member of the WAN list, (and very likely don't want it to be a member of the LAN list)
-
-
Johnathan123
just joined
- Posts: 3
- Joined:
Re: Help with NAT
Hi again ,
I was playing with the other tunnels and messed up with the names but are not related to my case i think , only Box_VPN tunnel need to checked .
I have an update on the issue and seems that my problem is with the VRF .
Outside of VRF with default configuration service working OK , i had added the routing table , routing rules etc and working . While pinging from 192.168.94.1 to 1.1.1.1 i can see the packages on wireguard interface with source ip 10.10.0.20 .
When I add Box_VPN and a lan interface under the same new VRF then the NAT is not working properly , probably due to bad configuration from my side but I would love to have an advise when where to look on .
I was playing with the other tunnels and messed up with the names but are not related to my case i think , only Box_VPN tunnel need to checked .
I have an update on the issue and seems that my problem is with the VRF .
Outside of VRF with default configuration service working OK , i had added the routing table , routing rules etc and working . While pinging from 192.168.94.1 to 1.1.1.1 i can see the packages on wireguard interface with source ip 10.10.0.20 .
When I add Box_VPN and a lan interface under the same new VRF then the NAT is not working properly , probably due to bad configuration from my side but I would love to have an advise when where to look on .
Yeah much too busy for me to look at in any detail and wont bother until cleaned up.
I did note that this is wrong.
add allowed-address=0.0.0.0/0 client-address=10.194.91.2/32 client-endpoint=xx.xx.xx.xx client-keepalive=10s \
client-listen-port=13834 interface=wireguard_1 name= public-key=""
add allowed-address=0.0.0.0/0 client-address=10.194.91.3/32 comment=" iPhone " interface=wireguard_1 name= public-key=\
""
add allowed-address=0.0.0.0/0 client-address=10.194.93.1/32 endpoint-address=xx.xx.xx.xx endpoint-port=13833 interface=wireguard1 \
name= persistent-keepalive=10s public-key=""
The third wireguard interface name does not match the two others........
So the first two are noise????
/interface wireguard
add disabled=yes listen-port=51822 mtu=1420 name=Box_VPN
add listen-port=13833 mtu=1420 name=wireguard1
add listen-port=51821 mtu=1420 name=Nordlynx
add listen-port=51820 mtu=1420 name=Surfshark_VPN
add comment=back-to-home-vpn listen-port=11429 mtu=1420 name=back-to-home-vpn
add listen-port=13834 mtu=1420 name=wireguard_2
Re: Help with NAT
If I may, and please don't take it as an offence, it seems to me that the configuration you posted is beyond any possible fixing/recovery, the related settings (right or wrong as they might be) are buried under countless layers of cruft/noise.
It is like I was asking you to come to my garage and find in the tens of drawers and containers/boxes a 6 mm long M4 grub screw (it is there, and it is far easier to find than a needle in a haystack, still ...).
I would suggest you to save the export (and/or make a backup) and start again from a reset configuration, adding only the settings you are trying to troubleshoot.
The new configuration will be anything between 2 and 4 Kb (as opposed to the current 16 Kb) and much easier to review.
It is like I was asking you to come to my garage and find in the tens of drawers and containers/boxes a 6 mm long M4 grub screw (it is there, and it is far easier to find than a needle in a haystack, still ...).
I would suggest you to save the export (and/or make a backup) and start again from a reset configuration, adding only the settings you are trying to troubleshoot.
The new configuration will be anything between 2 and 4 Kb (as opposed to the current 16 Kb) and much easier to review.